[wp-hackers] Wordpress File Inclusion

Dougal Campbell dougal at gunters.org
Mon Nov 13 20:49:08 GMT 2006

Ryan Boren wrote:
> Bas Bosman wrote:
>> Has anybody seen this post on the BugTraq mailing list?
>> (Also on: http://www.securityfocus.com/archive/1/451311/30/0/threaded)
>> I'm at work and don't have access to my Wordpress test box, so I haven't
>> verified it yet.
> That code is in load_template().
> "file" is not a default query var so it should never be in
> $wp_query->query_vars unless a plugin adds it.  We can use a different
> variable name in load_template() for extra safety, I suppose.
> $template_file instead of $file.
> I cannot reproduce.
> Ryan

Yeah, I can't see any way to exploit anything here unless a plugin or
theme is injecting a 'file' value into wp_query. Should we consider
setting an extract type and/or prefix, just to lessen the possibility
that a plugin or theme could dirty the variable space?

Dougal Campbell <dougal at gunters.org>

More information about the wp-hackers mailing list